Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit593d4e4

Browse files
committed
Support OpenSSL 1.1.0.
Changes needed to build at all:- Check for SSL_new in configure, now that SSL_library_init is a macro.- Do not access struct members directly. This includes some new code in pgcrypto, to use the resource owner mechanism to ensure that we don't leak OpenSSL handles, now that we can't embed them in other structs anymore.- RAND_SSLeay() -> RAND_OpenSSL()Changes that were needed to silence deprecation warnings, but were notstrictly necessary:- RAND_pseudo_bytes() -> RAND_bytes().- SSL_library_init() and OpenSSL_config() -> OPENSSL_init_ssl()- ASN1_STRING_data() -> ASN1_STRING_get0_data()- DH_generate_parameters() -> DH_generate_parameters()- Locking callbacks are not needed with OpenSSL 1.1.0 anymore. (Good riddance!)Also change references to SSLEAY_VERSION_NUMBER with OPENSSL_VERSION_NUMBER,for the sake of consistency. OPENSSL_VERSION_NUMBER has existed since timeimmemorial.Fix SSL test suite to work with OpenSSL 1.1.0. CA certificates must havethe "CA:true" basic constraint extension now, or OpenSSL will refuse them.Regenerate the test certificates with that. The "openssl" binary, used togenerate the certificates, is also now more picky, and throws an errorif an X509 extension is specified in "req_extensions", but that sectionis empty.Backpatch to all supported branches, per popular demand. In back-branches,we still support OpenSSL 0.9.7 and above. OpenSSL 0.9.6 should still worktoo, but I didn't test it. In master, we only support 0.9.8 and above.Patch by Andreas Karlsson, with additional changes by me.Discussion: <20160627151604.GD1051@msg.df7cb.de>
1 parentc99dd5b commit593d4e4

File tree

50 files changed

+707
-534
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

50 files changed

+707
-534
lines changed

‎configure

Lines changed: 22 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -9538,9 +9538,9 @@ else
95389538
as_fn_error$?"library 'crypto' is required for OpenSSL""$LINENO" 5
95399539
fi
95409540

9541-
{$as_echo"$as_me:${as_lineno-$LINENO}: checking forSSL_library_init in -lssl">&5
9542-
$as_echo_n"checking forSSL_library_init in -lssl...">&6; }
9543-
if${ac_cv_lib_ssl_SSL_library_init+:}false;then:
9541+
{$as_echo"$as_me:${as_lineno-$LINENO}: checking forSSL_new in -lssl">&5
9542+
$as_echo_n"checking forSSL_new in -lssl...">&6; }
9543+
if${ac_cv_lib_ssl_SSL_new+:}false;then:
95449544
$as_echo_n"(cached)">&6
95459545
else
95469546
ac_check_lib_save_LIBS=$LIBS
@@ -9554,27 +9554,27 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
95549554
#ifdef __cplusplus
95559555
extern "C"
95569556
#endif
9557-
charSSL_library_init ();
9557+
charSSL_new ();
95589558
int
95599559
main ()
95609560
{
9561-
returnSSL_library_init ();
9561+
returnSSL_new ();
95629562
;
95639563
return 0;
95649564
}
95659565
_ACEOF
95669566
if ac_fn_c_try_link"$LINENO";then:
9567-
ac_cv_lib_ssl_SSL_library_init=yes
9567+
ac_cv_lib_ssl_SSL_new=yes
95689568
else
9569-
ac_cv_lib_ssl_SSL_library_init=no
9569+
ac_cv_lib_ssl_SSL_new=no
95709570
fi
95719571
rm -f core conftest.err conftest.$ac_objext \
95729572
conftest$ac_exeext conftest.$ac_ext
95739573
LIBS=$ac_check_lib_save_LIBS
95749574
fi
9575-
{$as_echo"$as_me:${as_lineno-$LINENO}: result:$ac_cv_lib_ssl_SSL_library_init">&5
9576-
$as_echo"$ac_cv_lib_ssl_SSL_library_init">&6; }
9577-
iftest"x$ac_cv_lib_ssl_SSL_library_init" = xyes;then:
9575+
{$as_echo"$as_me:${as_lineno-$LINENO}: result:$ac_cv_lib_ssl_SSL_new">&5
9576+
$as_echo"$ac_cv_lib_ssl_SSL_new">&6; }
9577+
iftest"x$ac_cv_lib_ssl_SSL_new" = xyes;then:
95789578
cat>>confdefs.h<<_ACEOF
95799579
#define HAVE_LIBSSL 1
95809580
_ACEOF
@@ -9644,9 +9644,9 @@ else
96449644
as_fn_error$?"library 'eay32' or 'crypto' is required for OpenSSL""$LINENO" 5
96459645
fi
96469646

9647-
{$as_echo"$as_me:${as_lineno-$LINENO}: checking for library containingSSL_library_init">&5
9648-
$as_echo_n"checking for library containingSSL_library_init...">&6; }
9649-
if${ac_cv_search_SSL_library_init+:}false;then:
9647+
{$as_echo"$as_me:${as_lineno-$LINENO}: checking for library containingSSL_new">&5
9648+
$as_echo_n"checking for library containingSSL_new...">&6; }
9649+
if${ac_cv_search_SSL_new+:}false;then:
96509650
$as_echo_n"(cached)">&6
96519651
else
96529652
ac_func_search_save_LIBS=$LIBS
@@ -9659,11 +9659,11 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
96599659
#ifdef __cplusplus
96609660
extern "C"
96619661
#endif
9662-
charSSL_library_init ();
9662+
charSSL_new ();
96639663
int
96649664
main ()
96659665
{
9666-
returnSSL_library_init ();
9666+
returnSSL_new ();
96679667
;
96689668
return 0;
96699669
}
@@ -9676,25 +9676,25 @@ for ac_lib in '' ssleay32 ssl; do
96769676
LIBS="-l$ac_lib$ac_func_search_save_LIBS"
96779677
fi
96789678
if ac_fn_c_try_link"$LINENO";then:
9679-
ac_cv_search_SSL_library_init=$ac_res
9679+
ac_cv_search_SSL_new=$ac_res
96809680
fi
96819681
rm -f core conftest.err conftest.$ac_objext \
96829682
conftest$ac_exeext
9683-
if${ac_cv_search_SSL_library_init+:}false;then:
9683+
if${ac_cv_search_SSL_new+:}false;then:
96849684
break
96859685
fi
96869686
done
9687-
if${ac_cv_search_SSL_library_init+:}false;then:
9687+
if${ac_cv_search_SSL_new+:}false;then:
96889688

96899689
else
9690-
ac_cv_search_SSL_library_init=no
9690+
ac_cv_search_SSL_new=no
96919691
fi
96929692
rm conftest.$ac_ext
96939693
LIBS=$ac_func_search_save_LIBS
96949694
fi
9695-
{$as_echo"$as_me:${as_lineno-$LINENO}: result:$ac_cv_search_SSL_library_init">&5
9696-
$as_echo"$ac_cv_search_SSL_library_init">&6; }
9697-
ac_res=$ac_cv_search_SSL_library_init
9695+
{$as_echo"$as_me:${as_lineno-$LINENO}: result:$ac_cv_search_SSL_new">&5
9696+
$as_echo"$ac_cv_search_SSL_new">&6; }
9697+
ac_res=$ac_cv_search_SSL_new
96989698
iftest"$ac_res"!= no;then:
96999699
test"$ac_res" ="none required"|| LIBS="$ac_res$LIBS"
97009700

‎configure.in

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1112,10 +1112,10 @@ if test "$with_openssl" = yes ; then
11121112
dnl Order matters!
11131113
if test "$PORTNAME" != "win32"; then
11141114
AC_CHECK_LIB(crypto, CRYPTO_new_ex_data, [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])])
1115-
AC_CHECK_LIB(ssl,SSL_library_init, [], [AC_MSG_ERROR([library 'ssl' is required for OpenSSL])])
1115+
AC_CHECK_LIB(ssl,SSL_new, [], [AC_MSG_ERROR([library 'ssl' is required for OpenSSL])])
11161116
else
11171117
AC_SEARCH_LIBS(CRYPTO_new_ex_data, eay32 crypto, [], [AC_MSG_ERROR([library 'eay32' or 'crypto' is required for OpenSSL])])
1118-
AC_SEARCH_LIBS(SSL_library_init, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
1118+
AC_SEARCH_LIBS(SSL_new, ssleay32 ssl, [], [AC_MSG_ERROR([library 'ssleay32' or 'ssl' is required for OpenSSL])])
11191119
fi
11201120
AC_CHECK_FUNCS([SSL_get_current_compression])
11211121
fi

‎contrib/pgcrypto/internal.c

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -620,15 +620,6 @@ px_find_cipher(const char *name, PX_Cipher **res)
620620
* Randomness provider
621621
*/
622622

623-
/*
624-
* Use always strong randomness.
625-
*/
626-
int
627-
px_get_pseudo_random_bytes(uint8*dst,unsignedcount)
628-
{
629-
returnpx_get_random_bytes(dst,count);
630-
}
631-
632623
statictime_tseed_time=0;
633624
statictime_tcheck_time=0;
634625

‎contrib/pgcrypto/openssl.c

Lines changed: 101 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,9 @@
4141
#include<openssl/rand.h>
4242
#include<openssl/err.h>
4343

44+
#include"utils/memutils.h"
45+
#include"utils/resowner.h"
46+
4447
/*
4548
* Max lengths we might want to handle.
4649
*/
@@ -51,60 +54,113 @@
5154
* Hashes
5255
*/
5356

57+
/*
58+
* To make sure we don't leak OpenSSL handles on abort, we keep OSSLDigest
59+
* objects in a linked list, allocated in TopMemoryContext. We use the
60+
* ResourceOwner mechanism to free them on abort.
61+
*/
5462
typedefstructOSSLDigest
5563
{
5664
constEVP_MD*algo;
57-
EVP_MD_CTXctx;
65+
EVP_MD_CTX*ctx;
66+
67+
ResourceOwnerowner;
68+
structOSSLDigest*next;
69+
structOSSLDigest*prev;
5870
}OSSLDigest;
5971

72+
staticOSSLDigest*open_digests=NULL;
73+
staticboolresowner_callback_registered= false;
74+
75+
staticvoid
76+
free_openssldigest(OSSLDigest*digest)
77+
{
78+
EVP_MD_CTX_destroy(digest->ctx);
79+
if (digest->prev)
80+
digest->prev->next=digest->next;
81+
else
82+
open_digests=digest->next;
83+
if (digest->next)
84+
digest->next->prev=digest->prev;
85+
pfree(digest);
86+
}
87+
88+
/*
89+
* Close any open OpenSSL handles on abort.
90+
*/
91+
staticvoid
92+
digest_free_callback(ResourceReleasePhasephase,
93+
boolisCommit,
94+
boolisTopLevel,
95+
void*arg)
96+
{
97+
OSSLDigest*curr;
98+
OSSLDigest*next;
99+
100+
if (phase!=RESOURCE_RELEASE_AFTER_LOCKS)
101+
return;
102+
103+
next=open_digests;
104+
while (next)
105+
{
106+
curr=next;
107+
next=curr->next;
108+
109+
if (curr->owner==CurrentResourceOwner)
110+
{
111+
if (isCommit)
112+
elog(WARNING,"pgcrypto digest reference leak: digest %p still referenced",curr);
113+
free_openssldigest(curr);
114+
}
115+
}
116+
}
117+
60118
staticunsigned
61119
digest_result_size(PX_MD*h)
62120
{
63121
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
64122

65-
returnEVP_MD_CTX_size(&digest->ctx);
123+
returnEVP_MD_CTX_size(digest->ctx);
66124
}
67125

68126
staticunsigned
69127
digest_block_size(PX_MD*h)
70128
{
71129
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
72130

73-
returnEVP_MD_CTX_block_size(&digest->ctx);
131+
returnEVP_MD_CTX_block_size(digest->ctx);
74132
}
75133

76134
staticvoid
77135
digest_reset(PX_MD*h)
78136
{
79137
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
80138

81-
EVP_DigestInit_ex(&digest->ctx,digest->algo,NULL);
139+
EVP_DigestInit_ex(digest->ctx,digest->algo,NULL);
82140
}
83141

84142
staticvoid
85143
digest_update(PX_MD*h,constuint8*data,unsigneddlen)
86144
{
87145
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
88146

89-
EVP_DigestUpdate(&digest->ctx,data,dlen);
147+
EVP_DigestUpdate(digest->ctx,data,dlen);
90148
}
91149

92150
staticvoid
93151
digest_finish(PX_MD*h,uint8*dst)
94152
{
95153
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
96154

97-
EVP_DigestFinal_ex(&digest->ctx,dst,NULL);
155+
EVP_DigestFinal_ex(digest->ctx,dst,NULL);
98156
}
99157

100158
staticvoid
101159
digest_free(PX_MD*h)
102160
{
103161
OSSLDigest*digest= (OSSLDigest*)h->p.ptr;
104162

105-
EVP_MD_CTX_cleanup(&digest->ctx);
106-
107-
px_free(digest);
163+
free_openssldigest(digest);
108164
px_free(h);
109165
}
110166

@@ -116,6 +172,7 @@ int
116172
px_find_digest(constchar*name,PX_MD**res)
117173
{
118174
constEVP_MD*md;
175+
EVP_MD_CTX*ctx;
119176
PX_MD*h;
120177
OSSLDigest*digest;
121178

@@ -125,17 +182,43 @@ px_find_digest(const char *name, PX_MD **res)
125182
OpenSSL_add_all_algorithms();
126183
}
127184

185+
if (!resowner_callback_registered)
186+
{
187+
RegisterResourceReleaseCallback(digest_free_callback,NULL);
188+
resowner_callback_registered= true;
189+
}
190+
128191
md=EVP_get_digestbyname(name);
129192
if (md==NULL)
130193
returnPXE_NO_HASH;
131194

132-
digest=px_alloc(sizeof(*digest));
133-
digest->algo=md;
195+
/*
196+
* Create an OSSLDigest object, an OpenSSL MD object, and a PX_MD object.
197+
* The order is crucial, to make sure we don't leak anything on
198+
* out-of-memory or other error.
199+
*/
200+
digest=MemoryContextAlloc(TopMemoryContext,sizeof(*digest));
134201

135-
EVP_MD_CTX_init(&digest->ctx);
136-
if (EVP_DigestInit_ex(&digest->ctx,digest->algo,NULL)==0)
202+
ctx=EVP_MD_CTX_create();
203+
if (!ctx)
204+
{
205+
pfree(digest);
206+
return-1;
207+
}
208+
if (EVP_DigestInit_ex(ctx,md,NULL)==0)
209+
{
210+
pfree(digest);
137211
return-1;
212+
}
138213

214+
digest->algo=md;
215+
digest->ctx=ctx;
216+
digest->owner=CurrentResourceOwner;
217+
digest->next=open_digests;
218+
digest->prev=NULL;
219+
open_digests=digest;
220+
221+
/* The PX_MD object is allocated in the current memory context. */
139222
h=px_alloc(sizeof(*h));
140223
h->result_size=digest_result_size;
141224
h->block_size=digest_block_size;
@@ -831,6 +914,10 @@ px_find_cipher(const char *name, PX_Cipher **res)
831914

832915
staticintopenssl_random_init=0;
833916

917+
#ifOPENSSL_VERSION_NUMBER<0x10100000L
918+
#defineRAND_OpenSSL RAND_SSLeay
919+
#endif
920+
834921
/*
835922
* OpenSSL random should re-feeded occasionally. From /dev/urandom
836923
* preferably.
@@ -839,7 +926,7 @@ static void
839926
init_openssl_rand(void)
840927
{
841928
if (RAND_get_rand_method()==NULL)
842-
RAND_set_rand_method(RAND_SSLeay());
929+
RAND_set_rand_method(RAND_OpenSSL());
843930
openssl_random_init=1;
844931
}
845932

@@ -858,21 +945,6 @@ px_get_random_bytes(uint8 *dst, unsigned count)
858945
returnPXE_OSSL_RAND_ERROR;
859946
}
860947

861-
int
862-
px_get_pseudo_random_bytes(uint8*dst,unsignedcount)
863-
{
864-
intres;
865-
866-
if (!openssl_random_init)
867-
init_openssl_rand();
868-
869-
res=RAND_pseudo_bytes(dst,count);
870-
if (res==0||res==1)
871-
returncount;
872-
873-
returnPXE_OSSL_RAND_ERROR;
874-
}
875-
876948
int
877949
px_add_entropy(constuint8*data,unsignedcount)
878950
{

‎contrib/pgcrypto/pgcrypto.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -454,7 +454,7 @@ pg_random_uuid(PG_FUNCTION_ARGS)
454454
interr;
455455

456456
/* generate random bits */
457-
err=px_get_pseudo_random_bytes(buf,UUID_LEN);
457+
err=px_get_random_bytes(buf,UUID_LEN);
458458
if (err<0)
459459
ereport(ERROR,
460460
(errcode(ERRCODE_EXTERNAL_ROUTINE_INVOCATION_EXCEPTION),

‎contrib/pgcrypto/pgp-s2k.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -233,13 +233,13 @@ pgp_s2k_fill(PGP_S2K *s2k, int mode, int digest_algo, int count)
233233
casePGP_S2K_SIMPLE:
234234
break;
235235
casePGP_S2K_SALTED:
236-
res=px_get_pseudo_random_bytes(s2k->salt,PGP_S2K_SALT);
236+
res=px_get_random_bytes(s2k->salt,PGP_S2K_SALT);
237237
break;
238238
casePGP_S2K_ISALTED:
239-
res=px_get_pseudo_random_bytes(s2k->salt,PGP_S2K_SALT);
239+
res=px_get_random_bytes(s2k->salt,PGP_S2K_SALT);
240240
if (res<0)
241241
break;
242-
res=px_get_pseudo_random_bytes(&tmp,1);
242+
res=px_get_random_bytes(&tmp,1);
243243
if (res<0)
244244
break;
245245
s2k->iter=decide_s2k_iter(tmp,count);

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp